NAC (Network Access Control) is a cyber security solution that controls the access to the network of an institution or organization with predetermined security policies.
Since hackers initially made their attacks over the internet for security reasons, the security focus of the security of the outer layer of the network was not very high. Attacks coming from the outer layer were tried to be prevented by the Anti virus software installed on the computers. However, NAC solutions have gained importance with the increase in the access of hackers to valuable information and the attack by getting closer to the network physically.
The area protected by NAC is to prevent attacks from the outer layer-user layer of the Network. NAC has no policy and does not deal with attacks that may come from the WAN and internet, which form the backbone of the Company’s main Network. In addition, it does not deal with the data that may come out. It only makes the network visible by trying to prevent infiltrations in the outer shell of the Network. With its capability of visibility, it strengthens the company’s IT and security policies by creating an inventory such as all devices in the network, software used on devices and their versions. It also counteracts Zero-day attacks and prevents hard attacks on the system.
Basically, there are user devices or user device neighborhoods in the outer layer of the Network. Therefore, the focus of NAC is end devices. End devices; starting from the switches in the outer layer, computers, flash drives, CD readers, IOT devices, printers, scanners, BYOD devices etc.
NAC and peripherals in the outer layer are shown in the figure.
The more different network components there are in a network, the more risky that network is. Therefore, instead of finding a separate solution for each component, evaluating all components on a single platform and finding solutions by determining common policies appears to be the most effective solution. At this point, NAC is an indispensable solution for large networks and is one of the most important components of the solution set pointed out by GDPR.
Network security with NAC takes place at 4 levels.
1. Authentication: Identify who is connecting.
2. Authorization: What are its powers and rights?
3. Run a Security Scan, detect any security problems or patch vulnerabilities on the device and report it to the NAC server.
4. Vulnerability control and implementation of policies;
a. No vulnerabilities;
i. The connected device could not be identified. Take it to the guest network.
ii. The connected device is identified. Include in the network.
b. There is a vulnerability;
i. The connected device could not be identified. Fix the vulnerability. Take it to the guest network or isolate it completely from the Network. (Depends on policy)
ii. The connected device is identified. Fix the vulnerability. Include in the network. Include on Guest Network if the vulnerability cannot be resolved. Report to the server.
NAC restricts individual user devices or individual user device neighborhoods and applies antivirus software, patching, firewall, and spyware detection programs to the connected user.
During the NAC setup process;
1. Network architecture should be checked in detail and an inventory of all end and neighbor devices should be made.
2. The ways in which the company does business should be analyzed in detail, and a NAC architecture and policy that is contrary to the way the company does business and prevents the company from performing its basic functions should be avoided.
3. NAC policies and information about who can reach which point should be instructed from General Manager to the lowest employee of the company.
4. After NAC is installed, the device inventory detected by NAC should be compared with the devices in the company’s own inventory, and action should be taken on missing or excessive devices.
5. NAC policies should be changed according to each newly added device group or new business manners and should be notified to employees.
6. Since the IT-Network, Software and Security units will be separate in large-scale companies, the unit that writes and controls NAC policies should work closely with all teams. Otherwise, serious problems may occur from time to time due to the problems of employees who are far from the main center of the company, not accessing system resources.
NAC Types;
Agent Based NAC: It is provided by installing the NAC agent in the endpoint device. All policies of NAC are provided through this agent. New policies are distributed through updates to the Server. An example of agent-based NAC is the 802.1X protocol. It is an IEEE defined protocol to prevent elements from connecting to the network before they are assigned to an IP address. All endpoint devices, network devices, and legacy hardware must be configured to use 802.1X.
Agent-based NAC; There are serious problems such as agent setup, agent installation for guest users, control of IOT devices and management of devices other than the user computer, as well as operational difficulties in adapting all networks to 802.1X protocol.
Agentless NAC: No additional setup is required. Instead, this type of network access control evaluates the availability at both endpoints before the user is allowed access to the network. The problem with this type of network access control is that authorization is achieved through the evaluation of network traffic. Agentless NAC basically controls Switch ports. For this reason, all devices in the system must be IP-based. It can be installed and commissioned in a very short time since it does not require any change in the system operationally.
Hardware based NAC: It works with a device installed in the network and working in connection with network traffic. This type of network access control requires changes in infrastructure and operating practices to allow end-user-defined access. Because the implementation requires significant server configuration changes, the probability of failure is higher than other network access control systems. The type of network access control you choose for your organization depends on your network architecture. Before choosing an option suitable for your organization, it is necessary to carefully determine the network architecture and policies to be applied to end users.
If you have any questions, my contact information;
Ali Tas
BERN / SWITZERLAND
